Hi guys!I am kind of new in the field of reverse engineering, so sorry if it is a silly question.

I am currently analyzing a trojan for a school thesis that has similarities with the trojans Fareit and Tepfer.I already know that the main purpose of the malware is to steal user credentials and to send them then to a c & c server via HTTP.

But there are two functionalities that I stillt don't understand:- How is the malware encrypting the sent payload?- Why is the malware creating a new CMD process? Does the malware maybe also function as an reverse shell?

related to this sample i've seen it the 14 Dec 2016 23:15:30 according to my system.this one is also know as 'pony 3 gates' usually delivered by hancitor, here is a screenshot of one of their pony panel https://twitter.com/CyberCrimeWHQ/statu ... 0349409280related to your questions i don't remember how pony encryption work etc but there is literally tons of white papers about pony and you can even find the code, so it shouldn't be hard to find your answers.and nope, Fareit/Tepfer don't do a reverse shell.